Solved

Windows 2003 user password problem

Posted on 2006-06-29
11
1,605 Views
Last Modified: 2008-08-18
We have some users that are in remote offices connected via a VPN client (cisco). I've noticed that they will get their 60 day domain password change notice, and once t hey do that, it seems that their machine password doesn't sync, and the password is completely off.

Is there a certain way everyone deals with this?
0
Comment
Question by:shankshank
11 Comments
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17013093
Passwords fail to synchronize in a Windows domain, seemingly at random

Cause:  Password Synchronization is not configured identically on all domain controllers in the domain. As a result, if a nonconforming domain controller accepts a user's password change, it might not be able to change the password on UNIX computers.

Solution:  Ensure that Password Synchronization is configured identically on all domain controllers, particularly host settings and default settings for encryption keys and ports.


source: http://technet2.microsoft.com/WindowsServer/en/Library/7f960d32-96ff-474a-8556-528836731e8e1033.mspx?mfr=true
0
 
LVL 5

Author Comment

by:shankshank
ID: 17013143
That's not it since we can change while physically on the network with no problem

its the vpn that screws up


0
 
LVL 5

Accepted Solution

by:
napoleon41 earned 168 total points
ID: 17014093
Are the remote computers members of the domain?  We had some problem with profiles and various mapping/logon scripts until we remove the remote computers from the domain.  Granted, a lot more stuff has to be configured manually, but we have small group of people working remotely (transcriptionists mostely).  

Now, we hook our users up with our SSL vpn gateway and have then rdp onto a terminal server.  Bye, bye remote issues.  Just food for thought. (http://www.sslexplorer.com            note:  they have a free edition because they built it on linux.  I love open source).
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 166 total points
ID: 17014566
Two things I would try, first look for any cached passwords relating to your server on their remote machine.
Control Panel --> Users --> Advanced --> Manage passwords

Also you may want to edit the host and the lmhost files so that they have entries for your server.

A VPN router running Windows Server 2003 supports the logging of authentication and accounting information for VPN connections in local logging files when Windows authentication or Windows accounting is enabled. This logging is separate from the events recorded in the system event log. You can use the information that is logged to track site-to-site connection usage and authentication attempts. Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.

The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.

If the VPN router is configured for RADIUS authentication and accounting and the RADIUS server is a computer running Windows Server 2003 and IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 5

Assisted Solution

by:ssmith764
ssmith764 earned 166 total points
ID: 17071920
Hi,

I may be barking up the wrong tree here but is the VPN a permanent connection from the remote office or do the users start the connection from their machines? The reason I ask is if the users are not actually logging in to the domain but are logging in to their machine with cached credentials and THEN starting the vpn connection, when they change their passwords over the vpn the cached password on their machine will not be changed.
0
 
LVL 5

Expert Comment

by:napoleon41
ID: 17073429
That's good thinking ssmith764.  I have never actually used the VPN "client" in a situation where the remote computer is a member of the domain.  Computers using the VPN client are not members of the domain.

All of our full-time remote users are LAN-to-LAN where they are on a permanent tunnel with a router/pix501 at their house to provide the tunneling to the concentrator on site.  To those computers, the VPN is transparent and they might as well be jacked into a switch on site.  Computer/User security policies are slower (their login time slower), but everything else works fine.

Obviously that requires some ACL rules to prevent their Internet traffic from pulling through the VPN, and for security issues, we have chosen to deny their "company provided computer" from accessing the Internet.  We have, though, setup rules to give their personal computer(s) access to the Internet and deny them from the VPN.  Usually this is done by giving the company computer a static IP address and then providing a DHCP pool for their personal computers.

Security, security, security.

0
 
LVL 5

Author Comment

by:shankshank
ID: 17266244
Smith: The vpn connection is not a permanent connection, but a vpn client run after the user logs in.
napoleon: I am curious on your topic of the router/pix501 setup, and not having the users ability to access the net through vpn. I wouldn't mind implementing a setup like that for me so that these vpn clients can access our network fine, but internet traffic goes through their cable modem or isp instead of through the vpn


0
 
LVL 5

Expert Comment

by:napoleon41
ID: 17266933
Basically, there is a pix501 (or a soho) router at their house that is the first device in the chain from their Internet connection.  The Pix controlls the Internet connection and access, and maintains a more or less permanent VPN connection with the Cisco Concentrator (used to use a PIX though) at the hospital.  This type of connection is called a Lan-to-Lan VPN.

The pix501 hands out a dhcp address, subnet mask, and default gateway to them and contains routing information.  

Hospital Network - 172.16.0.0 255.255.0.0
Remote user's home network - 192.168.100.0 255.255.255.0

For security and functions, we configure various ACL's (access control lists) and/or routing statement that direct the user's traffic.  If the destination is a 172.16 address, the 501 forwards the traffic down the VPN.  Any Internet traffic is sent out their Internet connection (and not the hospitals), and any local traffic is kept in their local network (printer, home network, XBOX, etc . . . ).  Usually, we statically assign their "company computer's" IP address and only allow that station access to the VPN.  

All of our VPN's use IPSEC, but with Cisco devices, you can pretty much do anything you want.

Diagrams and descriptions of how to setup to PIX firewalls for a LAN-to-LAN VPN using the PDM (gui) interface.  It covers the basics without getting into the command line cisco.  I have found it difficult to use only the PDM, though, and end up doing most of my configurations of ANY major network device through the command line interface.  But, hey!  This one has pictures.  Ha!
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008055bd85.shtml
 
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now